whitehat security presentation
DESCRIPTION
WhiteHat Security Sales Presentation. Please contact [email protected] for more information.TRANSCRIPT
© 2007 WhiteHat Security, Inc.
WhiteHat SecurityWebsite Risk Management
Mark G. MeyerDirector of Sales – [email protected]
© 2009 WhiteHat Security | page 2
Web Application - User’s View
© 2009 WhiteHat Security | page 3
Session Hijacking
Parameter Manipulation
Cross-site scripting
Buffer Overflow
Password Guessing
Denial of Service
Account Enumeration
SQL Injection
Web Application – Hacker’s View
© 2009 WhiteHat Security | page 4
WhiteHat Security – Website Risk Management • Evolution of End-to-End Website Risk Management
– WhiteHat Security Founded 2001– Premium Edition Service launched in 2003– Sentinel Standard Edition introduced 2007, Baseline Edition, 2009– Visibility into risk enables oversight, measurement, process control, managementVisibility into risk enables oversight, measurement, process control, management
• Control Web Application Security Costs– Scalable, SaaS – Annual Subscription – 10,000’s of assessments performed annually– Unlimited assessments during term of agreement – Fixed annual fee, cost-efficientFixed annual fee, cost-efficient
• Proven Methodology– Hundreds of Enterprise Customers– ALL Vulnerabilities verified for accuracyALL Vulnerabilities verified for accuracy
• Turnkey– No installation of Hardware or Software– No need to hire, train, and retain additional personnelNo need to hire, train, and retain additional personnel
:
© 2009 WhiteHat Security | page 5
Website Risk Management – 4 Phase Approach
© 2009 WhiteHat Security | page 6
Sentinel PE (Fully Targeted)• High Impact / Production Sites – assessed by
Consultants or scanning tools• Performs critical business functions • Configured assessment delivery • Manual testing for business logic issues• Verified vulnerability reporting
Sentinel SE (Directed)• Internal / Customer Facing Sites – assessed by
scanning tools• Configured assessment delivery • Verified vulnerability reporting
Sentinel BE (Random)• Broad Based Coverage – less-complex sites• Self-service assessment delivery • Verified vulnerability reporting
WhiteHat Sentinel – Vulnerability Management
© 2009 WhiteHat Security | page 7
WhiteHat Sentinel Vulnerability Coverage
Technical: Identify with Automation
Command Execution• Buffer Overflow• Format String Attack• LDAP Injection• OS Commanding• SQL Injection• SSI Injection• XPath Injection
Information Disclosure• Directory Indexing• Information Leakage• Path Traversal• Predictable Resource Location
Client-Side• Content Spoofing• Cross-site Scripting• HTTP Response Splitting• Insecure Content
Business Logic: Human Analysis
Authentication• Brute Force• Insufficient Authentication• Weak Password Recovery Validation• CSRF
Authorization• Credential/Session Prediction• Insufficient Authorization• Insufficient Session Expiration• Session Fixation
Logical Attacks• Abuse of Functionality• Denial of Service• Insufficient Anti-automation• Insufficient Process Validation
Premium EditionStandard EditionBaseline Edition
© 2009 WhiteHat Security | page 8
WhiteHat Sentinel – Key Functionality• Per Website Subscription
• Combination of advanced proprietary technology and expert analysis
• On-Demand Turnkey solution
• 24x7 Reporting / Communication
• Unlimited Assessments / Users
• All Vulnerabilities Verified for Accuracy
• Geared for Development & Production
• Accurate prioritization of risk
• XML API Integration
• WAF Integration – Protection Layer
• Website Security Certification
© 2009 WhiteHat Security | page 9
How WhiteHat Sentinel Works
© 2009 WhiteHat Security | page 10
Secure Protection Layer – Education / WAF
Introduction to Website Security • Overview of Web application security. Understand how Web applications work, how to find
and exploit vulnerabilities, and solutions for protection.
Secure Coding for Java Developers • The dangers of insecure coding practices. Specific ways code can be exploited, and how
to write code to avoid introducing vulnerabilities.
© 2007 WhiteHat Security, Inc.
Questions?
© 2007 WhiteHat Security, Inc.
Supplemental Slides
© 2009 WhiteHat Security | page 13
Alerts – Message Center
© 2009 WhiteHat Security | page 14
Executive Summary – Enterprise Visibility
© 2009 WhiteHat Security | page 15
Website Summary – Individual Activity
© 2009 WhiteHat Security | page 16
Vulnerability Viewer – Remediation / Mitigation
© 2009 WhiteHat Security | page 17
Attack Vector Details – Code Level
© 2009 WhiteHat Security | page 18
Findings Summary – Auditing / Compliance
© 2009 WhiteHat Security | page 19
Scan Scheduler – Control Center
© 2009 WhiteHat Security | page 20
Reporting – Custom Analytics
© 2009 WhiteHat Security | page 21
Resources – API / Best Practices